[How To] Getting your droid to Sync with Exchange 2003/2007

[Pyromanci]

Hello,

This will be my first How To for the droid, though I do hope to have many more coming.

This past week I have spent a lot of time searching for answers to get my droid to sync to our companies Exchange server, only to find bits and pieces of what I need on different sites. So I'm gonna save anyone else this hassle and post a full guide. Also I do apologize if this guide is a little too dumb down, I'm just use to writing how to's here for none tech people.

1). Things you need to know

Ok this guide will cover the necessary setup for Exchange 2003 or 2007 to use ActiveSync or OWA(Outlook Web Access) to do live calendar, contacts, tasks, and email sync to the Android Phone.

This guide expects that you already have Exchange Installed with at least a standard install and setup and will only tell you the modifications that need to be made.

This guide is based on only things I've have done to get our Droids here at our office to sync up to exchange. I am not responsible for any damages that may occur. If this guide doesn't help or there are problems I'll be more then glad to assist in any way I can (with in reason).
​

2). Setting up your network.

Simply ensure that port 443 is forwarded to your IIS server that holds the OWA or ActiveSync directories. I leave how this is done up to you. As each network is setup differently with different hardware and software.

If your a IT Professional that worries about unwanted outside server access (I know I am one of them). I will explain the process of locking down IIS (if you don't use OWA).
​

3). Setting up IIS and Exchange

First off we need to make some of the necessary components are installed on server.

1. Open up Control Panel ->Add or Remove Programs ->Add/Remove Windows Components
2. Now if you want to lock down the IIS, make sure "Certificate Services" is checked.
3. Next select "Application Sever" and then click "Details"
4. Next select "Internet Information Services (IIS)" and then click "Details"
5. Next select "World Wide Web Service" and then click "Details"
6. Make sure that "WebDav Publishing" is check.
7. Then hit the "OK"
8. Then hit the "OK"
9. Then hit the "OK"
10. If you made any changes hit next and follow the prompts.

Next we need to check and confirm some settings in the Exchange.

1. Open the Exchange System Manager (ESM).
2. Expand the Global Settings tree.
3. Right click on Mobile Service, choose Properties
4. Ensure that the ActiveSync options are all checked.
5. Leave "Device Security" and OMA (Outlook Mobile Access) as is.

Now if you are wanting to beef up security to help prevent unauthorized access to the server here is what you can do.

1. If you use OWA from outside your company network, there really isn't much more you can do. At this point you should have already planned out a decent secruity setup.
2. If you don't use OWA from outside your network and plan to use ActiveSync on your Droid (the best way to get your information from exchange). What you can do is step through all base folders on IIS under "Default Site" (or what ever site has your OWA and ActiveSync installed) and set the security on them to block all none local network traffic. The only folder you need to leave available to the internet is the directory Microsoft-Server-ActiveSync.
3. If you plan to use OWA for your syncing, then do the same number 2, but this time leave exchweb and exchange folders open to the internet.
4. If you plan to use Client SSL's you need set the directories you left open to Require SSL's first and then Require Client SSL's.

4). Settings Up Your Droid

Note: I have only set up the droid for the Motorola Droid version 2.0 Firmware. So this setup my not work for others.

Now their are several program that you can use. The built in ActiveSync controls for the droid are fine, but they have limitations. Such as:

1. You can't use a client ssl for extra secruity
2. You can't move emails to different folders.

The program we have chosen to use here is TouchDown by Nitrodesk. The primary reason we chose to use it because of client ssl's and the ability to move emails to different folders. So I'm going to be starting off with the setup for that first.

1. Download and Install TouchDown from the market.
2. If your not using Client SSL's
   1. Launch Touchdown
   2. If it does not ask you to do quick configure on the left hand side of the screen click the gear icon and it will take you to setup and then ask if you want quick configuration.
   3. Do the quick configuration.
   4. Enter in your information (username, domain, email, password, server) and click next
   5. On use SSL, say Yes. and click next
   6. Then on the protocols page leave all 3 checked and click next
   7. Touch down will then go through and check the settings and the server to see if it can sync.
   8. You can then go back into the settings are and go to advanced and adjust settings and folders as you see fit.
3. If you are using Client SSL's
   1. Open up IE (you have to use IE other broswers wont be able to export port out the client ssl properly) and go to http://<ip_address/hostname>/certsrv or where <ip_address/hostname> is the ip address or hostname of your IIS box.
   2. Login with the username your setting up the sync for.
   3. Click "Request a certificate"
   4. Click "User Certificate"
   5. Click "More Options >> "
   6. Click "use the Advanced Certificate Request form"
   7. Change "Certificate Template" to user.
   8. Make sure "Mark keys as exportable" is checked
   9. Then click Submit
   10. Then click "Install this certificate"
   11. Now in IE open Tools->Internet Options->Content Certificates
   12. Select the certificate that was just installed.
   13. Click "Export"
   14. Select "Yes, export private keys"
   15. Click "Next"
   16. Make sure "Personal Information Exchange - PKCS #12(.PFX)" is select. As well as all it's sub options.
   17. Type in a password that will be used when you import the certificate into the phone.
   18. Click "Next"
   19. Pick where you want to save the file and name it client.pfx
   20. Click "Next"
   21. Click "Finish"
   22. Go ahead and close I.E.
   23. Now connect the droid to the computer and mount the SD card so the computer access it.
   24. Place the client.pfx file in the base directory of the SD card.
   25. Unmount the SD card.
   26. Open Touchdown. If it asks for quick configure say no.
   27. Click the gear icon to the left.
   28. If it asks for quick configure say no
   29. On the account tab, enter in Login ID, email address, password, and Folder language.
   30. Hit "Save" and then go to the advanced tab.
   31. On the advanced tab go down to the bottom of it and client "Client Certs".
   32. The window that pops up, click "Set".
   33. It show ask you for a password, enter the password you gave the certificate when you exported it.
   34. Now go To the connections tab.
   35. If select the connections mode you want.
   36. Enter in your server's external domain name or ip address.
   37. Make sure Use SSL is checked.
   38. Check "Fetch and trust certificate" if you use a self signed SSL, or your SSL is expired.
   39. Then click the "ActiveSync..." if your using ActiveSync, then click refresh.
       • This is the point where most problems come in. If you get any errors read the error and look at the response code.
       • If you see 403, means you enter the wrong account info, or there is something wrong with the client ssl.
       • If you see 404, then you entered the wrong server name in on the connection page.
       • As you see they are just standard HTTP error codes.
   40. After you have gotten it to accept your connection settings, go back to advance.
   41. Check "Automatically check for new messages" if you want that
   42. Set your Polling interval
   43. If you use active sync insure Enable Push is checked.
   44. Message History, depending on the size of the email account you want to start small and work your way up. I have over a 1GB email box and had to increase it after every full sync tell I got to 180 days. Though i have noticed with this much data the program does run sluggish ever now and then.
   45. The options I'll leave up to you.
   46. Now, after you set the options the way to like, goto "Choose Folders..."
       Depending the Connection Mode you choose, you may need to hit the "Refresh Folders" button before anything shows up in "Choose Folders...".
   47. Then select all the folders you want available on the phone. Note: To sync calendar, contacts, and tasks you have to select them in that list.
   48. After you have selected the folders, click "Save".
   49. Then I always like to hit the backup "Backup Settings" button and then go onto the SD card and pull the back up of it in case something happens.
   50. Then click close and your phone will start syncing.
       Note: It best to let the phone sit while this first sync is taking place. I've seen it today where one of the people I just got setup started going crazy with app installs and playing with the phone and cause the sync was taking place his phone locked up and corrupted a lot of data and applications. So we had to resetup touchdown. Which is why I back up settings now.

For the built in Sync for the droid (this method does not support client ssl). You do the following:

1. from your home screen open "Settings"
2. Select "Accounts & sync settings"
3. Click "Add an Account"
4. Select "Corporate"
5. Enter the email address you will sending from
6. Enter your password
7. Check if you want to send from this account by default
8. Click next
9. Enter the Domain Name and username to login with
10. Enter the password for that login
11. Adjust the Exchange Server if it is not correct.
12. Make sure "Use secure connection (SSL) is checked
13. Check "Accept all SSL certificates" if you use a self signed certificate.
14. Then click "Next".
15. The phone should now check and validate your connection settings.
16. It should then start to sync.

There it is. I'll be adding images as soon as I can and cleaning up this how to as things are asked or pointed out. I'm also going to go through and verify some of the IIS settings for none ActiveSync based syncing.

Please leave comments. If you have questions shoot me a message and I will answer to the best of my ability. Now on to the VPN nightmare.

 

[Droid-tester]

I have activesync setup working on the droid but would you happen to know why sometime the push function doesn't work. I have exchange 2003 sp2. Sometime email comes in perfectly and sometime I have to actually go to the corporate email icon on the droid for the mail to actually come in.

 

[Pyromanci]

Ok, I don't really no why it comes in and doesn't, but what i do know is that in the default ActiveSync client in the droid (I assume is what your using since you said corporate email icon) does not actually allow push. It will only pull. I originally read this in a few articles on the net and tested it my self. I would force a push on the server and the phone would never get it. This is what your seeing.

 

[soujam69]

Thanks for the post this has been very helpful! When I reached number 39 and clicked refresh is says "initializing active sync" this took about 10 - 15 minutes then it timed out with the following message "active sync exception timed out policies not initialized." Any thoughts what I need to do next?

 

[Pyromanci]

OK, well there are a few things that could be causing this. Lets look at it this way.

First do you see any event id's 7023, 3015, 3024, 4292 in your servers event log?
Second have you installed Domain Name System (DNS) security update 953230 (MS08-037) on the server?

If you say yes to either of those this is a problem where the dns server is starting up on active sync's ports. So everything is going wacky. Follow this article to help resolve the problem.
Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)

Next just to double check you do have Exchange 2003 sp2 or Exchange 2007 installed?

Next step if all else fails sounds like the request is getting to the server, but the server is not responding. This could cause by ISA or other firewall software, possibly even the router being used to forward traffic is getting it to the machine but not back.

Let me know if this of any help.

 

[soujam69]

Thanks but none of those apply to me I am already at ex2003sp2, I have several phones to configure so I used a different one and just set up the email without touchdown or a certificate and it worked - how? at least how without the cert! Shouldn't it require one??? Also, how would I remove the cert from the first phone?

 

[soujam69]

Okay, check this out! On the phone I couldn't get to work the user had turned on and configured the WiFi with our Public access, once we turned off the WiFi it allowed us to configure Exchange 2003 and all is well. Next we turned the WiFi back on and configured it with our internal Private access (network) and it still worked. When we get a chance we'll test it outside the company at either home or internet cafe to see if it still works. But our internal Public access will not allow it to work.

I would still like to know if I will have a security issues if I do not install a certificate on the phone?

 

[Pyromanci]

Ok, I'll have to look at the wifi settings here once I'm back in the office (currently out on business trip monitoring this from my droid). Did you have it set to require ssl? If not then there are more ports that neede to be opened

Now you said you set up one in the defualt mail client and did it without a client ssl. So I assume you don't have the exchange directory set to require ssl and require a client cert correct?

Now as for removing a client ssl from a phone, I assume if a person nolonger has rights to the server or a phone is lost/stolen? If so you can't remotely remove it or wipe the phone (the biggest draw back to using it for corprate use). Most you can do right now is just go into the servers certificate authority control panel (in administrative tools) and revoke the users certificate and that will stop the phone from pulling more data.

Without a client cert being required for active sync and locking downthe other directories your iis is nore vulnerable to hackers. Me I always take the apporch to get the limited down to the possible opens for hackers

 

[soujam69]

Did you have it set to require ssl?

Yes, It was set to ssl

So I assume you don't have the exchange directory set to require ssl and require a client cert correct?

I assumed this was done because our previous Motorola Q phones were set up with certs. After checking the Exchange directory it is not configured with ssl. The Microsoft-Server-Activesync directory is configured with ssl but is set to ignore client cert, the OMA directory is configured the same way.

Now as for removing a client ssl from a phone, I assume if a person nolonger has rights to the server or a phone is lost/stolen?

I wanted to remove it from the first phone just to get back to square one. But now that you mention it - I don't know much about the remote access or wipe feature but I think it is configured in the Mobile Service Properties Device Security.

Your help or suggestions on any of this is greatly appreciated!

 

[jwhizzy]

So if I were to convert my SSL cert file to .p12 format and install it on the Droid, I would still be unable to sync (Contacts, Email, Calendar, Task) via the built in sync software on the Droid? Without this cert on the Droid, Exchange syncronization will not take place on the build in software? I have to use a third party app?

 

[penleydr]

I'd like to add something here. I switched from Blackberry Curve yesterday and was having all kinds of issues with Contacts syncing up on my Verizon HTC Eris that I got for $30 at Best Buy. I am the Exchange admin for my company and I ended up going into the logs on the server and finding that there were issues with all contact that I had a picture associated with.

They were all for friends of ours that my wife send to me from her Blackberry (non Enterprise email) using Blackberry Messenger, long before I ever got the Eris. They sync'd with my Outlook fine back then through my Blackberry Enterprise Server, but for some reason the Eris did NOT like them.

Even though it was just a few Contacts that had pics on them, only about a dozen of the remaining contacts (out of a couple hundred) would show up on the phone - always the same ones, not in any discernable order (alphabetical, etc.), and they'd eventually disappear altogether.

After removing the pictures in Outlook on my work PC, the Contacts sync'd up just fine. I imagine that a lot of issues people are having, even with calendar and emails, have to do with little nuances like this. It's just a matter of finding which "entries" are causing the problems and finding the common denominator with those pieces.

Hope this helps someone, cause this was a pain for me that was giving my thoughts about returning the phone, which I really didn't want to do because I love everything else about it.

:icon_ banana::icon_ banana::icon_ banana:

 

[bhendrick]

Any idea about this posting?

http://www.droidforums.net/forum/te...ggestions/2414-exchange-email-forwarding.html

 

[bhendrick]

Anyone notice an issue with calendar invites? Original invites are received fine, and can be accepted and appear on the droid calendar. If the organizer updates the invite, all I get is an email with the info and no ability to accept. And if the meeting time changes, the original time remains on the droid calendar and the new time also appears (it appears by default as tentative by outlook). Once I go into outlook and accept the update, the droid calendar resynchs and updates to remove the old time slot.